CVE-2025-61229 is a vulnerability identified in Shirt Pocket's SuperDuper! backup software version 3.10 and earlier. The flaw allows a local attacker to modify the application's default task template, which is used to define preflight scripts executed before backup operations. By altering this template, an attacker can inject arbitrary scripts that run with root privileges and Full Disk Access on macOS systems. This effectively bypasses macOS's privacy protections designed to restrict application access to sensitive user data and system resources. The vulnerability stems from improper access control (CWE-284), where the software does not adequately restrict modifications to critical configuration files or templates. The CVSS v3.1 base score is 8.4, indicating high severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported yet, the potential for privilege escalation and full system compromise is significant. The vulnerability is particularly concerning for environments where multiple users have local access or where endpoint security is lax. Organizations relying on SuperDuper! for backup on macOS should monitor for updates and prepare to apply patches promptly. Additionally, auditing and restricting local user permissions and monitoring system changes can help mitigate risk until a patch is available.

The vulnerability allows an attacker with local access to escalate privileges to root and gain Full Disk Access, compromising the confidentiality, integrity, and availability of the affected macOS system. This can lead to unauthorized access to sensitive data, modification or deletion of critical files, and potential disruption of backup operations. For European organizations, especially those handling regulated or sensitive information (e.g., financial, healthcare, government sectors), this could result in data breaches, regulatory non-compliance, and operational downtime. The bypass of macOS privacy controls undermines built-in security mechanisms, increasing the risk of persistent threats and lateral movement within networks. The impact is amplified in environments where multiple users share systems or where endpoint security controls are insufficient to detect or prevent unauthorized local changes.

1. Apply official patches from Shirt Pocket as soon as they are released to address this vulnerability. 2. Until patches are available, restrict local user permissions to prevent unauthorized modification of SuperDuper! task templates and configuration files. 3. Implement strict endpoint security controls to monitor and alert on changes to backup task templates or execution of unusual preflight scripts. 4. Use macOS security features such as System Integrity Protection (SIP) and Full Disk Access controls to limit application and user privileges. 5. Conduct regular audits of backup configurations and system logs to detect suspicious activities. 6. Educate users about the risks of local privilege escalation and enforce policies to limit local administrative access. 7. Consider alternative backup solutions with stronger security postures if immediate patching is not feasible. 8. Employ application whitelisting to prevent unauthorized script execution within backup workflows.